A Too λκ it for Ri νγ - ΛΩ E κρ y πτoγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12
A Toolkit for Ring-LWE Cryptography Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12
Lattice- and Ring-Based Cryptography ◮ Offers worst-case hardness [Ajtai’96,. . . ] , asymptotic efficiency & parallelism, and (apparent) quantum resistance. 2 / 12
Lattice- and Ring-Based Cryptography ◮ Offers worst-case hardness [Ajtai’96,. . . ] , asymptotic efficiency & parallelism, and (apparent) quantum resistance. ◮ Many exciting developments in recent years: ⋆ Encryption [R’05,PW’08,PVW’08,ACPS’09,. . . ] ⋆ Signatures [LM’08,GPV’08,L’09,CHKP’10,B’10,GKV’10,BF’11ab,L’12,. . . ] ⋆ (H)IBE & FE [GPV’08,CHKP’10,ABB’10,AFV’11,. . . ] ⋆ FHE [G’09,vDGHV’10,SV’11,BV’11ab,BGV’12,B’12,. . . ] ⋆ Multi-linear maps [GGH’13,CLT’13,. . . ] 2 / 12
Lattice- and Ring-Based Cryptography ◮ Offers worst-case hardness [Ajtai’96,. . . ] , asymptotic efficiency & parallelism, and (apparent) quantum resistance. ◮ Many exciting developments in recent years: ⋆ Encryption [R’05,PW’08,PVW’08,ACPS’09,. . . ] ⋆ Signatures [LM’08,GPV’08,L’09,CHKP’10,B’10,GKV’10,BF’11ab,L’12,. . . ] ⋆ (H)IBE & FE [GPV’08,CHKP’10,ABB’10,AFV’11,. . . ] ⋆ FHE [G’09,vDGHV’10,SV’11,BV’11ab,BGV’12,B’12,. . . ] ⋆ Multi-linear maps [GGH’13,CLT’13,. . . ] ◮ Most modern schemes are based on the SIS/LWE problems [A’96,R’05] and/or their ring variants [M’02,PR’06,LM’06,LPR’10] . 2 / 12
Lattice- and Ring-Based Cryptography ◮ Offers worst-case hardness [Ajtai’96,. . . ] , asymptotic efficiency & parallelism, and (apparent) quantum resistance. ◮ Many exciting developments in recent years: ⋆ Encryption [R’05,PW’08,PVW’08,ACPS’09,. . . ] ⋆ Signatures [LM’08,GPV’08,L’09,CHKP’10,B’10,GKV’10,BF’11ab,L’12,. . . ] ⋆ (H)IBE & FE [GPV’08,CHKP’10,ABB’10,AFV’11,. . . ] ⋆ FHE [G’09,vDGHV’10,SV’11,BV’11ab,BGV’12,B’12,. . . ] ⋆ Multi-linear maps [GGH’13,CLT’13,. . . ] ◮ Most modern schemes are based on the SIS/LWE problems [A’96,R’05] and/or their ring variants [M’02,PR’06,LM’06,LPR’10] . ✗ SIS/LWE aren’t quite practical: Ω( n 2 ) key sizes and runtimes ✔ Ring-based primitives are! ˜ O ( n ) complexity 2 / 12
LWE Over Rings, Over-Simplified [LPR’10] Ring R := Z [ X ] / (1 + X n ) for some n = 2 k , R q := R/qR. 3 / 12
LWE Over Rings, Over-Simplified [LPR’10] Ring R := Z [ X ] / (1 + X n ) for some n = 2 k , R q := R/qR. c ◮ For s ← R q , pairs { ( a i , b i ) } ≈ uniform { ( a i , b i ) } : a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q . . . 3 / 12
LWE Over Rings, Over-Simplified [LPR’10] Ring R := Z [ X ] / (1 + X n ) for some n = 2 k , R q := R/qR. c ◮ For s ← R q , pairs { ( a i , b i ) } ≈ uniform { ( a i , b i ) } : a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q . . . ◮ Error (“noise”) terms e ( X ) ∈ R are “short.” What could this mean? 3 / 12
LWE Over Rings, Over-Simplified [LPR’10] Ring R := Z [ X ] / (1 + X n ) for some n = 2 k , R q := R/qR. c ◮ For s ← R q , pairs { ( a i , b i ) } ≈ uniform { ( a i , b i ) } : a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q . . . ◮ Error (“noise”) terms e ( X ) ∈ R are “short.” What could this mean? n − 1 � e j X j ( e 0 , e 1 , . . . , e n − 1 ) ∈ Z n . e ( X ) = ← → j =0 3 / 12
LWE Over Rings, Over-Simplified [LPR’10] Ring R := Z [ X ] / (1 + X n ) for some n = 2 k , R q := R/qR. c ◮ For s ← R q , pairs { ( a i , b i ) } ≈ uniform { ( a i , b i ) } : a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q . . . ◮ Error (“noise”) terms e ( X ) ∈ R are “short.” What could this mean? n − 1 � e j X j ( e 0 , e 1 , . . . , e n − 1 ) ∈ Z n . e ( X ) = ← → j =0 ◮ Applications need (+ , · ) -combinations of errors to remain short, so we can “decode” them modulo q . Significantly affects security. 3 / 12
LWE Over Rings, Over-Simplified [LPR’10] Ring R := Z [ X ] / (1 + X n ) for some n = 2 k , R q := R/qR. c ◮ For s ← R q , pairs { ( a i , b i ) } ≈ uniform { ( a i , b i ) } : a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q . . . ◮ Error (“noise”) terms e ( X ) ∈ R are “short.” What could this mean? n − 1 � e j X j ( e 0 , e 1 , . . . , e n − 1 ) ∈ Z n . e ( X ) = ← → j =0 ◮ Applications need (+ , · ) -combinations of errors to remain short, so we can “decode” them modulo q . Significantly affects security. � e · e ′ � ≤ √ n · � e � · � e ′ � . � e + e ′ � ≤ � e � + � e ′ � 3 / 12
LWE Over Rings, Over-Simplified [LPR’10] Ring R := Z [ X ] / (1 + X n ) for some n = 2 k , R q := R/qR. c ◮ For s ← R q , pairs { ( a i , b i ) } ≈ uniform { ( a i , b i ) } : a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q . . . ◮ Error (“noise”) terms e ( X ) ∈ R are “short.” What could this mean? n − 1 � e j X j ( e 0 , e 1 , . . . , e n − 1 ) ∈ Z n . e ( X ) = ← → j =0 ◮ Applications need (+ , · ) -combinations of errors to remain short, so we can “decode” them modulo q . Significantly affects security. � e · e ′ � ≤ √ n · � e � · � e ′ � . � e + e ′ � ≤ � e � + � e ′ � (“Expansion factor” √ n is worst-case, often quite loose.) 3 / 12
More Rings, Please! ◮ Rings Z [ X ] / (1 + X 2 k ) don’t meet all our needs. 4 / 12
More Rings, Please! ◮ Rings Z [ X ] / (1 + X 2 k ) don’t meet all our needs. ✗ They are rare — might make keys unnecessarily large in practice. 4 / 12
More Rings, Please! ◮ Rings Z [ X ] / (1 + X 2 k ) don’t meet all our needs. ✗ They are rare — might make keys unnecessarily large in practice. ✗✗ Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV’11] and applications [GHS’12abc] 4 / 12
More Rings, Please! ◮ Rings Z [ X ] / (1 + X 2 k ) don’t meet all our needs. ✗ They are rare — might make keys unnecessarily large in practice. ✗✗ Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV’11] and applications [GHS’12abc] ◮ The m th cyclotomic ring: R = Z [ X ] / Φ m ( X ) where ω m = e 2 π √− 1 /m ∈ C . � ( X − ω i Φ m ( X ) = m ) ∈ Z [ X ] , i ∈ Z ∗ m Note: Φ m ( X ) divides ( X m − 1) , has degree n = ϕ ( m ) = deg(Φ m ) . “Power” Z -basis of R is { 1 , X, X 2 , . . . , X n − 1 } . 4 / 12
More Rings, Please! ◮ Rings Z [ X ] / (1 + X 2 k ) don’t meet all our needs. ✗ They are rare — might make keys unnecessarily large in practice. ✗✗ Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV’11] and applications [GHS’12abc] ◮ The m th cyclotomic ring: R = Z [ X ] / Φ m ( X ) where ω m = e 2 π √− 1 /m ∈ C . � ( X − ω i Φ m ( X ) = m ) ∈ Z [ X ] , i ∈ Z ∗ m Note: Φ m ( X ) divides ( X m − 1) , has degree n = ϕ ( m ) = deg(Φ m ) . “Power” Z -basis of R is { 1 , X, X 2 , . . . , X n − 1 } . Φ 9 ( X ) = 1 + X 3 + X 6 . ◮ Examples: Φ 2 k +1 ( X ) = 1 + X 2 k , 4 / 12
More Rings, Please! ◮ Rings Z [ X ] / (1 + X 2 k ) don’t meet all our needs. ✗ They are rare — might make keys unnecessarily large in practice. ✗✗ Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV’11] and applications [GHS’12abc] ◮ The m th cyclotomic ring: R = Z [ X ] / Φ m ( X ) where ω m = e 2 π √− 1 /m ∈ C . � ( X − ω i Φ m ( X ) = m ) ∈ Z [ X ] , i ∈ Z ∗ m Note: Φ m ( X ) divides ( X m − 1) , has degree n = ϕ ( m ) = deg(Φ m ) . “Power” Z -basis of R is { 1 , X, X 2 , . . . , X n − 1 } . Φ 9 ( X ) = 1 + X 3 + X 6 . ◮ Examples: Φ 2 k +1 ( X ) = 1 + X 2 k , ✔ Ring-LWE (appropriately defined) is hard in any cyclotomic [LPR’10] . . . assuming problems on ideal lattices are quantum-hard in the worst case. 4 / 12
The Form of Cyclotomic Polynomials ◮ For prime p , Φ p ( X ) = 1 + X + X 2 + · · · + X p − 1 Φ p e ( X ) = Φ p ( X p e − 1 ) . and 5 / 12
The Form of Cyclotomic Polynomials ◮ For prime p , Φ p ( X ) = 1 + X + X 2 + · · · + X p − 1 Φ p e ( X ) = Φ p ( X p e − 1 ) . and Mod- Φ p e ( X ) reduction is efficient; small(ish) expansion factor. 5 / 12
The Form of Cyclotomic Polynomials ◮ For prime p , Φ p ( X ) = 1 + X + X 2 + · · · + X p − 1 Φ p e ( X ) = Φ p ( X p e − 1 ) . and Mod- Φ p e ( X ) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = 3 · 7 · 19 · 73 . 5 / 12
The Form of Cyclotomic Polynomials ◮ For prime p , Φ p ( X ) = 1 + X + X 2 + · · · + X p − 1 Φ p e ( X ) = Φ p ( X p e − 1 ) . and Mod- Φ p e ( X ) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = 3 · 7 · 19 · 73 . ◮ What about non-prime power m ? 5 / 12
Recommend
More recommend